In January 2022, a vulnerability in Twitter’s platform allowed an attacker to build a database of the email addresses and phone numbers of millions of users of the social platform. In a disclosure notice later shared in August 2022, Twitter advised that the vulnerability was related to a bug introduced in June 2021 and that they are directly notifying impacted customers. The impacted data included either email address or phone number alongside other public Twitter including the Twitter username, display name, bio, location and profile photo. The data included 6.7M unique email addresses across both active and suspended accounts, the latter appearing in a separate list of 1.4M addresses.
This is particularly problematic for everyone that is using an anonymous pseudonym on Twitter, but still has that account connected to their own email address or phone number, since it makes it possible for those accounts to be deanonymized.
This may also reveal purely internal email addresses for many companies that may now start to receive spam and phishing attempts.
The bug was quite simple: “[…] if someone submitted an email address or phone number to Twitter’s systems, Twitter’s systems would tell the person what Twitter account the submitted email addresses or phone number was associated with, if any” said Twitter on their blog posts disclosing the vulnerability. It was found throughs Twitter’s bug bounty program in January 2022 and has been present since June 2021.
Twitter recommends what everyone using pseudonyms should do for all the accounts they create: “To keep your identity as veiled as possible, we recommend not adding a publicly known phone number or email address to your Twitter account.” They also recommend using 2FA, which is a good security practice, but would have had no impact in this particular breach.
- Hacker selling Twitter account data of 5.4 million users for $30k
- Twitter confirms zero-day used to expose data of 5.4 million accounts
- Twitter breach exposed anonymous account owners
- An incident impacting some accounts and private information on Twitter
Accounts breached: 6682453
Breached on: January 01, 2022
Exposed data: Bios, Email addresses, Geographic locations, Names, Phone numbers, Profile photos, and Usernames
Added on: August 13, 2022